Hi everyone. I have used mysql_real_escape_string before to make sure I don't get errors when updating databases. But what do you do when you're inserting data using a html form? There is no mysql data to escape.
I have to say that escaping strings is a real pain as the website I manage deals with people's names, so anyone with an apostrophe in their name causes issues.
I was always told you can't use mysql_real_escape_string to escape strings until you have a data connection, but I have just tried it and it works. I will look at moving to PDO when I re-do the website over the summer (it's a sports league, so don't want to mess with it until the season is finished)
I'm not sure I understand the problem. All that mysql_real_escape_string does is that it escapes the characters so that they are safe to use in mysql_query().
have you tried htmlspecialchars?
Use htmlspecialchars or htmlentities to convert save html tahs and other enities in mysql data.
Later you can use htmlspecialchars_decode or html_entity_decode to get html text.
You can find complete instructions about these function on php.net.
preventing errors from single quotes also helps the security of your website. Since hackers can use sql injection if there is an error in character insert